Configuring HTTPS with TLS certificates

Learn how to configure secure HTTPS connections in Knative using TLS
certificates
(TLS replaces SSL).
Configure secure HTTPS connections to enable your Knative services and routes to
terminate external TLS connections.
You can configure Knative to handle certificates that you manually specify, or
you can enable Knative to automatically obtain and renew certificates.

You can use either Certbot or cert-manager to obtain certificates.
Both tools support TLS certificates but if you want to enable Knative for
automatic TLS certificate provisioning, you must install and configure the
cert-manager tool:

Manually obtain and renew certificates: Both the Certbot and cert-manager
tools can be used to manually obtain TLS certificates. In general, after you
obtain a certificate, you must create a Kubernetes secret to use that
certificate in your cluster. See the complete set of steps below for details
about manually obtaining and configuring certificates.

Enable Knative to automatically obtain and renew TLS certificates: You can
also use cert-manager to configure Knative to automatically obtain new TLS
certificates and renew existing ones. If you want to enable Knative to
automatically provision TLS certificates, instead see the
Enabling automatic TLS certificate provisioning topic.

Important: Certificates issued by Let’s Encrypt are valid for only 90
days. Therefore, if you choose to manually obtain and configure your
certificates, you must ensure that you renew each certificate before it
expires.

Before you begin

You must meet the following requirements to enable secure HTTPS connections:

Important: Istio only supports a single certificate per Kubernetes cluster.
To serve multiple domains using your Knative cluster, you must ensure that your
new or existing certificate is signed for each of the domains that you want to
serve.

where -d specifies your domain. If you want to validate multiple domain’s,
you can include multiple flags:
-d MY.EXAMPLEDOMAIN.1 -d MY.EXAMPLEDOMAIN.2. For more information, see the
Cerbot command-line reference.

The Certbot tool walks you through the steps of validating that you own each
domain that you specify by creating TXT records in those domains.

Automatic certificates: Configure Knative to use cert-manager for
automatically obtaining and renewing TLS certificate. The steps for installing
and configuring cert-manager for this method are covered in full in the
Enabling automatic TLS cert provisioning topic.

Manually adding a TLS certificate

If you have an existing certificate or have used one of the Certbot or
cert-manager tool to manually obtain a new certificate, you can use the
following steps to add that certificate to your Knative cluster.

# Please edit the object below. Lines beginning with a '#' will be ignored.# and an empty file will abort the edit. If an error occurs while saving this# file will be reopened with the relevant failures.apiVersion:networking.istio.io/v1alpha3kind:Gatewaymetadata:# ... skipped ...spec:selector:istio:ingressgatewayservers:-hosts:-"*"port:name:httpnumber:80protocol:HTTP-hosts:-"*"port:name:httpsnumber:443protocol:HTTPStls:mode:SIMPLEprivateKey:/etc/istio/ingressgateway-certs/tls.keyserverCertificate:/etc/istio/ingressgateway-certs/tls.crt

What’s next:

After your changes are running on your Knative cluster, you can begin using the
HTTPS protocol for secure access your deployed Knative services.